It uses the PluginDetect, a script module from h00p://www.pinlady.net/PluginDetect/, a tool that can determine the currently installed versions of the operating system and selected applications such as IE, Chrome, Adobe flash, and PDF reader. With this tool at hand, the malicious script below the PluginDetect script would then be able to select the exact exploit to execute.

However, in this specific malware script, the application involved is only Adobe Flash. If the version is within 10.0 to 10.2.159, it opens /read/engineering_best.php?xtekiq=32:1k:32:1i:1g&uqphr=31:3b:3d:36&gpjxgrfu=2v:1h:1f:33:1m:1f:2v:1k:31:2w&gbgbyq=lfha. Then if the version is below 10.3.181.24, it opens /read/engineering_best.php?gynwb=32:1k:32:1i:1g&aatwawb=3h:3l:38:38:33:37&fteu=2v:1h:1f:33:1m:1f:2v:1k:31:2w&info=02e67fbb1b70fa4a727caa615381613e3d73d9d5370a3436400595f7d0a2e22159e953d3984a6928056c5d9e1c022d7d28c7e56da4d8620bb24d8d8c7904786fe5. Either of these are opened where it started which is under h00p://11.lamarianella.info or h00p://11.laptopvspc.com domain. What is expected here is that it will download SWF files, most likely exploited SWFs that would trigger the shell code shown by the getShellCode() function. At the time of this writing the SWFs cannot be downloaded anymore.

In any event, the script still is opens h00p://11.sephoracouponscode.com/adobe/ using the default browser regardless of what PluginDetect retrieves from the system environment. This website contains a fake Adobe update site.

The site is a complete replica of the real Adobe site that lures users to download adobe_flash_player.exe, a fake update, actually a malware.

getShellCode()

The shellcode when converted to its binary form is 538 bytes. This code begins by decrypting, not decompressing, the rest of its code. A simple look at the decrypted dump shows the following URL:

The code proceeds by locating the first link entry in the EPROCESS blocks, usually NTDLL.DLL. Proceeds by searching for the DWORD 0x0c330408b from the process' base address.

As of this writing, URL that retrieves wpbt0.dll doesn't exist anymore.

adobe_flash_player.exe

First thing it does is verify that the IOleContainer COM interface exits. This malware requires this interface for it to be able to use global streams later. The malware does this by checking out the existence of this registry key:

Now in the virtual allocated space, execution continues by allocating another space with HeapAlloc. It decrypts another data into this new space which turns out that the decrypted data is a PE file. Using the import table information from this new PE's header, it loads all the required libraries and the APIs it will use.

It also calls UnmapViewOfFile with the current running process as its parameter.

Unmapping a mapped view of a file invalidates the range occupied by the view in the address space of the process and makes the range available for other allocations. It removes the working set entry for each unmapped virtual page that was part of the working set of the process and reduces the working set size of the process. It also decrements the share count of the corresponding physical page.

Since the original malware process has already transferred code control to the allocated memory space, it can successfully achieve un-mapping. Un-mapping also means clearing and freeing up the process space and thus, nothing can be dumped from that area. But in this case, the malware simply removed the process space but references to this process space still exists from the Process Environment Block (PEB).

What happens next is a call to VirtualAlloc requesting a base address stated in the header of the newly decrypted PE file. Since the base address here is 0x0400000 which is the same as that from the un-mapped process, the memory allocation results to success.

At this point, the PEB has only been updated with the entry point and the image base, however, the original file name and path were not touched at all. A blackbox dumping of the memory process would seem a different file from that of the originally executed file.

Notice that it loads ole32.dll as expected from verifying IOleContainer in the registry where it uses this to push messages and data to a global stream.

Next is an anti-emulation technique. Emulators usually simulate the sequence of instructions but has limits. This particular looping technique is commonly employed by different malwares. What it does is try to break the instruction count limits of emulators.

In the function that steals info in Internet Explorer, it retrieves data for the Intelliform. Intelliform is an IE feature that has do something with autocomplete and saved password. This can be found in the registry under

Now with better privileges, it does the whole stealing process again.
Clean up
Yes it does delete the file where it came from. It creates a batch file that contains a code that deletes the malware execute file and the batch file itself.
It uses the current tick count as the batch file’s filename.

The batch file is then executed with two parameters: the batch file name and the malware file name.
Different variants of Fareit have been around for quite some time. The malware’s effectiveness could have been very useful for the malware authors especially that it has account stealing and malware downloading payloads.
With this information, we hope this could help administrators secure their machines then their clients better.